Forgot your password?
typodupeerror
Announcements Software Apache

Apache httpd 2.0.51 Released 15

Posted by timothy
from the now-with-more-patch dept.
djh101010 writes "apache.org has announced version 2.0.51 of their webserver, which is a bug-fix (rather than a feature) release. There are 5 security vulnerabilities addressed by this release, so if you're using mod_ssl, IPv6, or a couple other things, it's worth taking a look at what was fixed."
This discussion has been archived. No new comments can be posted.

Apache httpd 2.0.51 Released

Comments Filter:
  • mod_perl (Score:4, Interesting)

    by embobo (1520) on Wednesday September 15, 2004 @04:28PM (#10259745) Homepage
    Is mod_perl 2.0 ready for prime time yet? Last time I checked--a few months ago--the core was there but the mp 1.x emulation didn't work very well and some important modules, e.g., Apache::AuthCookie weren't ported yet. I went back to 1.x.
    • Re:mod_perl (Score:4, Informative)

      by djh101010 (656795) * on Wednesday September 15, 2004 @05:43PM (#10260420) Homepage Journal
      Can't speak to 2.0; I'm still using 1.99_16 myself, which seems to be playing nice with 2.0.50 and I assume 2.0.51 (building now).
      • Do we still need to recompile mod_*s with each new apache release or is the ABI stable enough to carry the binaries on?
        • Re:mod_perl (Score:2, Informative)

          by Anonymous Coward
          ABI is generally stable enough. Be careful about just replacing httpd / libhttpd.so though - because some of the security / bug fixes are in modules (or in libapr.so / libaprutil.so) and not the core.

          Third party modules should march happily on without being rebuilt.

          An obvious exception might be modperl which provides substantial coverage of entry points, constant #defines and other aspects of the core itself. It also relies on 'expected results' from alot of edge functions which weren't widely used (and
  • by molo (94384) on Wednesday September 15, 2004 @05:00PM (#10260006) Journal
    Here is the list of vulnerabilities. For more information (including a list of effected versions), see the Apache Week [apacheweek.com] listing.

    Does anyone have any information about whether the mod_ssl DoS vuln effects Apache 1.3.x as well? Thanks. -molo


    An input validation issue in IPv6 literal address parsing which can result in a negative length parameter being passed to memcpy.
    [CAN-2004-0786]

    A buffer overflow in configuration file parsing could allow a local user to gain the privileges of a httpd child if the server can be forced to parse a carefully crafted .htaccess file.
    [CAN-2004-0747]

    A segfault in mod_ssl which can be triggered by a malicious remote server, if proxying to SSL servers has been configured.
    [CAN-2004-0751]

    A potential infinite loop in mod_ssl which could be triggered given particular timing of a connection abort.
    [CAN-2004-0748]

    A segfault in mod_dav_fs which can be remotely triggered by an indirect lock refresh request.
    [CAN-2004-0809]
  • by troon (724114) on Thursday September 16, 2004 @03:22AM (#10263764)

    I've yet to try it out, but this release claims to allow the administrator to unset the previously-mandatory Content-Location header added when mod_negotiation is in play.

    This "feature" triggered an Opera "feature" that made in-document fragment anchors fail on dynamically generated, URL-rewritten documents.

    Full description [plus.com] of the problem. Hopefully 2.0.51 means I don't need to fiddle with the Apache source any more: I'll update the problem page if so.

  • by Anonymous Coward
  • by agent dero (680753) on Thursday September 16, 2004 @08:08PM (#10272832) Homepage
    Here at Texas A&M, IBM just gave a talk to our ULUG (Unix & Linux UG) about a project they use called "BogoSec" where they can get rough estimations of source security.

    The most drastic example of security problems was between vsftpd and wu-ftpd, but the presenter also showed some graphs for httpd 2.xxx releases, where the bugfix releases drastically improved the security.

    Hoorah for bugfix releases, they're always good.
  • I've been running this version on a box for a few days now and haven't seen any performance issues or outstanding bugs, so I would really recommend everyone upgraded asap.

    blog [homeip.net]

  • There's a patch for the security regression in 2.0.51. See CAN-2004-0811 and Apache Week for 9/23/2004 [apacheweek.com] Another Apache release 2.0.52 is coming down the pike to fix this and some minor issues.

    To quote ApacheWeek: One of the new features included in [Apache 2.0.51] is that a container can now be used to limit the effect of a Satisfy directive to specific methods. Unfortunately, a bug in the implementation meant that merging of Satisfy directives did not work correctly. The result was that if "Satisfy An

I've never been canoeing before, but I imagine there must be just a few simple heuristics you have to remember... Yes, don't fall out, and don't hit rocks.

Working...